Study Notes

Binary Exploitation
BSD
- FreeBSD
CCTV
Computer Science
Cryptography
- Asymmetric-Encryption
  - RSA
- Encoding
  - Base64
  - URL Encoding
- Hash Functions
  - MD5
- Password Hashing
  - LM Hash
- Symmetric Encryption
  - Block Ciphers
    - AES
    - DES
Defensive Security
- Elastic
- Malware Analysis
- MITRE
  - MITRE ATT&CK
- Splunk
DIY
- Cantenna
GNU / Linux
- Story
- Debian
  - Debian Package Manager
  - Firmware
- GNU coreutils
  - What is GNU coreutils
  - Basic operations
    - cp
    - dd
    - mv
    - rm
    - shred
  - Changing file attributes
    - chgrp
    - chmod
    - chown
    - touch
  - Directory listing
    - dir
    - ls
    - vdir
  - File permissions
  - File space usage
    - df
    - du
  - Output of entire files
    - base64
    - cat
    - tac
  - Output of parts of files
    - head
    - tail
  - Printing text
    - echo
    - printf
  - Process control
    - kill
  - Redirection
    - tee
  - Special file types
    - mkdir
  - Summarizing files
    - wc
  - System context
    - arch
    - date
    - hostname
    - uname
    - uptime
  - User information
    - groups
    - id
    - logname
    - pinky
    - users
    - who
    - whoami
  - Working context
    - pwd
- Linux Networking
- Shell
  - ls alieas
  - Shell Commands
  - Shell Variables
- System
  - services (daemons)
- Users
  - su (switch user)
  - Users
Hardware
- ESP32
- GPIO
- Integrated circuit
- microcontroller
- PN532
- RC522
- RTOS
K&R
- Ch 1 - A Tutorial Introduction
macOS
Networking
- Ethernet
- Networking Fundamentals
- Ports
- Pivoting
- Protocols
  - Networking Protocol?
  - ARP
  - DHCP
  - DNS
    - DNS Attacks
    - DNS Fundamentals
  - FTP
  - ICMP
  - RTSP
  - SSH
    - (0) What is SSH
    - OpenSSH
  - TCP
  - UDP
- Proxy
  - Proxy Fundamentals
- VPN
- Wireless
  - (0) Fundamentals
  - Bluetooth
  - NFC
  - RFID
  - Wi-Fi
    - Wi-Fi Alliance
Offensive Security
- Malware Development
Scripting & Automation
- DQ
- Regular Expression
- Shells
Tools
- Nmap
  - Nmap Options
  - What is Nmap
VCS
- What is VCS / Git / GitHub
- Git
- GitHub
  - GitHub Setup and Config
Virtualization
- Virtualization Fundamentals
Web Application Security
- HTTP Headers
  - Content Security Policy (CSP)
Windows
- Microsoft Management Console (MMC)
- Windows NT & MS-DOS
- Active Directory
  - AD Fundamentals
  - AD Attacks & Defense
    - AS-REProasting
    - Kerberoasting
  - AD Protocols
    - DNS in AD
    - Kerberos
    - LDAP
    - MSRPC
    - NTLM
  - AD Users
- File Systems
- Powershell
  - cmdlet
    - cmdlet (command-let)
    - cmdlet commands
      - Active Directory
        
        -Properties
        
        Get-ADGroup
        
        Get-ADUser
- Windows Event Logs
  - EventLog & Event Viewer
  - Get-WinEvent

Pivoting

Pivoting is a post-exploitation technique where an attacker uses a compromised internal machine (the jump host or pivot point) as a bridge to attack other restricted systems on the network.

Imagine this network:

Attacker ───► Compromised Server ───► Internal Network

The attacker cannot directly reach the internal network for many reasons like:

firewalls block access
internal machines are private
segmentation exists

But the compromised server has access to both the attacker and the internal network. So the attacker turns the compromised machine into a pivot point.

That process is called Pivoting

Another Example:

You
 │
 ▼
Web Server (compromised)
 │
 ▼
Database Server (internal only)

You cannot access the database directly. But the web server can. So you “pivot” through it.

Pivoting Techniques

Pivoting techniques are different ways to route traffic through a compromised machine to reach otherwise inaccessible systems.

1. Local Port Forwarding

Simplest form of pivoting. You forward ONE local port to ONE remote service.

Meaning:

Your localhost:8080
    │
    ▼
Pivot Host
    │
    ▼
10.0.0.5:80

When you visit:

127.0.0.1:8080

connects to:

internal host 10.0.0.5
port 80

through the pivot host.

Limitation: Only forwards one service/port.

2. Remote Port Forwarding

Opposite direction. The compromised machine exposes a port that forwards back to the attacker.

Internal Machine
      │
      ▼
Pivot Host port 4444
      │
SSH tunnel
      │
      ▼
Attacker port 4444

Useful when inbound access to victim is blocked or victim can only initiate outbound traffic. Common in reverse shells.

3. Dynamic Port Forwarding (SOCKS Pivoting)

Creates a SOCKS proxy. Instead of forwarding one port, forwards arbitrary traffic dynamically

Flow:

Tool
 │
 ▼
SOCKS Proxy
 │
SSH Tunnel
 │
 ▼
Pivot Host
 │
 ▼
Any Internal Target

4. Reverse Dynamic Port Forwarding

5. VPN Pivoting

6. Layer 3 Routing Pivot

True routing pivot. The compromised host routes packets between networks.

echo 1 > /proc/sys/net/ipv4/ip_forward

Then:

add routes
configure NAT

Now traffic routes normally.

Closest to real router behavior.

8. HTTP/HTTPS Tunneling

9. DNS Tunneling